Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
4
Replies

ASA Active/Standby physical configuration

Go to solution
fsebera
Level 4
Level 4

‎04-12-2016 06:28 AM - edited ‎03-12-2019 12:36 AM

We have 2 ASAs setup in an active/standby configuration. The "Outside" interfaces on each ASA connects to a 1 of the 2 switches in the switch-stack as do the border routers - and this is for failover redundancy.

 ISPs-&-INTERNET

 |            |

 R------------R

 |            |

switch-----switch

 | outside | |

ASA          ASA

     inside

Red is "outside" interfaces

Blue is "failover" and "stateful" replication links

My first question is - Do we really need to run the failover and stateful replication link through "any" switches? Would it be better (more secure and less points of failure) to connect the failover and stateful replication link directly between ASAs without switches?

My second question is - Would it be better to use 2 physically links for these two services?

Thank you

Frank

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-12-2016 06:56 AM

99 times out of 100 I run the failover link using a cable directly between the two ASAs. The Cisco guides recommend a switch because it gives you a place to login and see the interface status apart from the ASAs. I tend to agree with your take however that a 6" cat 5 jumper fails less often than two jumpers plus a switch.

I only run state over a separate interface in very high bandwidth use cases (when I run it at all). I generally work with small-medium enterprises for whom maintaining state of every TCP connection in the event of a failover is not so critical. Larger enterprises and especially eCommerce application might have different business requirements which would drive the design differently.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fsebera

‎04-12-2016 08:13 AM

If you're using a switch and have decided to do stateful failover, the switch (whether or not it includes "outside" traffic) should have a dedicated VLAN (L2 only - no SVI L3 interface) for this traffic.

When I use outside switches I prefer they are the slightly higher end models with a strictly out of band management interface with its own VRF (like a 3560-X or higher) so that I never expose the switch management plane to the public Internet.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-12-2016 06:56 AM

99 times out of 100 I run the failover link using a cable directly between the two ASAs. The Cisco guides recommend a switch because it gives you a place to login and see the interface status apart from the ASAs. I tend to agree with your take however that a 6" cat 5 jumper fails less often than two jumpers plus a switch.

I only run state over a separate interface in very high bandwidth use cases (when I run it at all). I generally work with small-medium enterprises for whom maintaining state of every TCP connection in the event of a failover is not so critical. Larger enterprises and especially eCommerce application might have different business requirements which would drive the design differently.

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Marvin Rhoads

‎04-12-2016 08:02 AM

Hi Marvin,

Do you think this is a security concern since the state replication traffic is passing in clear text through the outside switch or is not really an issue?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fsebera

‎04-12-2016 08:13 AM

If you're using a switch and have decided to do stateful failover, the switch (whether or not it includes "outside" traffic) should have a dedicated VLAN (L2 only - no SVI L3 interface) for this traffic.

When I use outside switches I prefer they are the slightly higher end models with a strictly out of band management interface with its own VRF (like a 3560-X or higher) so that I never expose the switch management plane to the public Internet.

0 Helpful

Go to solution
fsebera
Level 4
Level 4
In response to Marvin Rhoads

‎04-12-2016 08:19 AM

Exactly!

Thank you

Frank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card